Our Assessment and Testing Services

We have a straightforward, three-part approach to cyber security:

We can only work with clients who share our mission-oriented passion for securing organizational assets. Before you can fix a problem, you must be fully committed understanding it--otherwise you are wasting your money and time.

To that end, we offer the most comprehensive package of assessment and testing services in the industry. Our twelve, full-range assessments can be tailored to meet your requirements. Our trained, experienced professionals know what they are looking for and what questions to ask. We get the job done smoothly and efficiently. Once correctly accomplished, you can be assured that your cyber security program has the solid foundation necessary for effective mitigation and incident response.

Initial Client Scoping

This introductory, complimentary service includes an intial birds-eye view of a potential client's enterprise cyber security risk posture--from top-to-bottom. This will give both us and your managment a base-line understanding of what needs to be done to protect the company and ensure its continuity in today's threat environment.

(Our twelve assessments are listed in alpha order)

(1) Application Assessment

All applications have bugs in them; most have archtiectural flaws, design flaws or configuration issues that create security vulnerabilities in the application and potentially the host network. The question is how easy is it for attackers to discover and exploit these vulnerabilities? According to the Verizon Data Breach investigations Report, application attacks account for 35% of all breaches. It is critical that the software development process takes security into account at every step of the process. Recently Juniper, the security products company (firewalls), announced that someone inserted unauthorized code into their software library that allowed attackers to take over any network behind that Juniper hardware. Our application assessment can evaluate the software development process, developer training, quality assurance processes, code checking process and review code to identify the vulnerabilities. Learn more...

(2) Asset Management Processes Assessment

As smart devices (devices with a processor and storage) proliferate, it is important that businesses are able to track those assets - what they are used for - by whom - and in what context. Those devices can be the source of an attack or the vehicle for a breach. Businesses need to have a formal process for tracking these assets. We break assets down into hardware, software and cloud assets.

  • Cloud Services Inventory. What is the process for tracking cloud service usage and access? What policies and procedures are in place to track cloud service usage and ensure that appropriate controls are in place?
  • Hardware Inventory. For most companies, hardware is the easiest asset to track; it is often tied into the purchasing or capital acquisition process. But as the business model changes (for example, BYOD), that tracking process has to morph as well. Just because an employee or vendor owns the asset that connects to your data does not make it any less of a threat.
  • Software Inventory. With the ability for anyone with an Internet connected device to download almost any piece of software (legal or bootleg), the process of managing what software is being used by the organization, by whom and under what license becomes dramatically harder. In addition, where that software stores its data may not be so obvious. The company's software inventory process needs to change to accomodate this and ensure that the company is compliant with each software license and that data is being tracked and managed.

(3) Board of Directors Assessment

The Board of Directors is ultimately responsible for mitigating cyber risk inside the company. As we have seen in recent legal cases, how active the Board is in overseeing the mitigation of that cyber risk can affect the outcome of lawsuits. Our assessment reviews the Board's current level of oversight in this process and makes recommendations, if appropriate, for reducing Directors risk in the case of a breach related lawsuit. We turn boards into valuable strategic assets exercising cyber security oversight. Learn more...

(4) Cyber Insurance Assessment

Many organizations have some form of cyber insurance. Whether that insurance will actually pay out in case of an incident is a different story. Insurance carriers are becoming more cautious in paying claims and in some cases, will attempt to get out of paying a claim, based on what a company said they were doing in the application documentation. Our assessment improves the likelihood that, in case of a breach, your company will have the appropriate coverage and will be successful in any claims for reimbursement under the terms of the policy.

(5) HIPAA/HITECH Assessment

(For healthcare organizations) Our services include a pre-audit review and assessment to identify items that would be called out in an actual audit. Since our pre-audit is an informal review, many items may be fixable on the fly, reducing later exposure to a real audit. The advantage of doing this is that an actual audit will come out cleaner and will show fewer violations. Our pre-audit and assessment can be done at any time and even more frequently than the HIPAA/HITECH required audit frequency.

(6) Incident Response Readiness Assessment

As organizations like Sony and The U.S. Office Of Personnel Management (OPM) discovered, the time to test the organization's incident response readiness is not during an incident. If the organization does not have a plan, we can assist in creating one. If the organization has not recently tested its plan, we can assist with the design and test of the plan. If a plan exists and is tested, then this assessment will review the scope of the plan to determine if the 'coverage' of the plan is sufficient for the organization. Coverage means that the incident response plan deals with the range of reasonably expected incident types-and how well it deals with them. If the plan has been recently tested, then this assessment can additionally review that test and help the organization enhance the plan to more effectively address future potential incidents. Learn more...

(7) IS/IT Operations Assessment

Our IS/IT (information systems/information technology) operations assessments look at the operational aspects of an IT organization. The eight sub-topics of our operations assessment include:

  • Cloud Assessment. A cloud assessment reviews the cloud services that a company uses, how they use them, and the cyber risk implications of that usage.
  • Data Assessment. A data assessment reviews the organization's data management processes. What data it collects. How long it retains it. Where it is stored. How it is protected. When it is deleted. How all this is managed and how you are sure all this happens. Every time.
  • Malware Assessment. A professional scan of your systems looking for previously installed malware.
  • Network Assessment. A network assessment reviews the connectivity component of an organization and looks for vulnerabilities - and vulnerabilities that are exploitable - internally to the company and/or externally. Learn more...
  • Operations Assessment. An operations assessment reviews IS/IT operations - the processes and procedures that the IS/IT organization uses to manage the technology of the company. This includes everything from help desk to disaster recovery - how well it supports the company and reduces the cyber risk to the company.
  • Penetration Testing. A pen test is an authorized, controlled break-in to your system with very specifically defined requirements and goals. Learn more...
  • Phishing Attacks/Testing. A series of email and SMS tests designed to expose personnel weaknesses and vulnerabilities re: email and texting attacks.
  • Servers Assessment. A server assessment reviews the configuration, design, management, operational efficiency and, of course, how all of that impacts the security of the infrastructure, data and intellectual property of the company.

(8) M&A Assessment

Most of the time when an investor acquires a company, it acquires both the assets and the liabilities and the value of such companies now affected by cyber risk. When it comes to cyber risk, investors, for the most part, are assuming an unknown risk - and one which is completely unbounded. The investors don't know how big a cyber risk they are assuming. And the risk may not show up for years - and then it could destroy the company. Our M&A assessment process reduces the unknown and unbounded risks investors assume. An investor would never make an investment without reviewing the finances of the target company or the sales strategy of that company, but for the most part, they do not review the cyber risk they are assuming. We help investors solve that problem.

(9) PCI Assessment (Audit)

(Credit card operations) Our services include a pre-audit review and assessment to identify items that would be called out in an actual audit - prior to doing that audit. Since this is an informal review, many items may be fixable on the fly. The advantage of doing this is that the actual audit will come out cleaner and will show fewer violations. An assessment can be done at any time and even more frequently than PCI rules require.

(10) Policy Assessment

Policies are a first line of defense in corporate information risk mitigation. Of course, the best policies are useless if employees don't know about them, don't understand them or don't follow them. Our policy assessment reviews the existing policies and procedures for completeness, usability, training and enforcement.

(11) Privacy Assessment

Almost all companies today have a privacy policy. Whether that privacy theology is integrated at the cellular level of the company is quite different than whether a company has a document. After the Snowden revelations, many companies expressed surprise that our government - as well as many other governments - might be eavesdropping on their digital conversations. For those companies, privacy was a document. Many companies are now looking at privacy at a whole different level and it affects every person in the organization. Our assessment and recommendations help an organization shift from privacy as a document to privacy as a fundamental, existential component of the company.

(12) Vendor Risk Assessment

Many companies outsource pieces of their business. Whether that is a customer-facing call center, software developers, database administrators, human resources, insurance management, legal or a host of other possible outsource possibilities, these vendors, in many cases, have the keys to your universe. The Target attackers, for example, got into Target by attacking a small refrigeration maintenance company. Every company should have a vendor risk management program that reviews the exposure every vendor creates for the company and based on that level of risk, reviews the vendor's own cyber risk management program. We can help set up a VRM program if you don't have one or review and assess the one in place if you do have one. The assessment will provide recommendations to help improve the program and reduce the risk introduced by vendors.

Common question: My CIO is in favor of bringing in a consulting firm to assess our security program following a series of minor security incidents. I'm reluctant to do so because I think it will only serve as a distraction. Should I hold firm, or find a way to work with the consultants, and if so, what's the best way to do so. ANSWER.